The Meta-owned social media company, Instagram, has been fined €405 million ($403M) by the Irish Data Protection Commission (DPC) for violations of the EU’s General Data Protection Regulation (GDPR). The financial penalty is the largest ever imposed on Meta of its companies for GDPR violations and follows a €225 million ($224M) penalty for WhatsApp and a €17 million ($16.96M) fine for Facebook. The latest fine is the second largest GDPR penalty ever imposed. – The €746 million ($744M) penalty imposed on Amazon.
Meta, like many other bit big tech firms, has its European base in Ireland. Under the one-stop-shop mechanism of the GDPR, when a company is engaged in the cross-border processing of the personal data of EU citizens, the Data Protection Authority in the country where a company has its EU base takes the lead in any investigations of GDPR violations. The lead supervisory authority is responsible for coordinating any aspects of the investigations in other states. The Irish DPC had to trigger dispute resolution mechanisms over the input received by other EU data protection authorities in order to impose the financial penalty.
Instagram was informed of the final decision on the penalty on Friday and the Irish DPC is due to publish a summary of the decision on its websites this week; however, the size of the fine was leaked to Politico which recently reported on the financial penalty. The Irish DPC has confirmed that the penalty amount is correct, and full details of the Instagram GDPR violations that warranted such a sizable penalty will be published by the Irish DPC in due course.
This post will be updated when further information on the Instagram GDPR fine is published, but what is known is the fine relates to the violation of children’s privacy, namely the publication of the email addresses and phone numbers of children. That information was published by default under the default settings in the business account service of the app.
Meta has confirmed that it will be appealing the financial penalty. Meta says it is unhappy with how the fine was calculated, says the issue at hand has been corrected, and that it cooperated fully with the Irish DPC throughout the investigation.
“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” said a spokesperson for Meta in response to the penalty. “Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”